Russian government hackers broke America’s cybersecurity defenses. They got into high-level departments like the U.S. Treasury and the Department of Commerce. They may have infiltrated hundreds of Fortune 500 companies, along with other sensitive areas both public and private. They may have accessed email accounts and who knows what else.
Worse yet, the breach may have gone undetected for nine months — from March 2020 through mid-December (last week). It was only on Saturday, Dec. 12, that the U.S. National Security Council called an emergency meeting to respond to the news.
Agency officials all across the U.S. government, along with chief technology officers in Fortune 500 companies all around the world, are scrambling. On a scale of 1 to 10 in terms of “severity and national-security implications,” a government insider told the Wall Street Journal the breach is a “10.”
The news is like a four-alarm fire that you can’t even see. Imagine finding out one of your company’s most dangerous adversaries installed hidden malware on all the office computers — and did it nearly a year ago, leaving you in the dark as to what they’ve seen, stolen, carted off, or left behind in terms of unknown malware or malicious code.
To make a crude summation, the highest echelons of both the U.S government and the U.S. private sector are riddled with Russian malware, which could be deployed for espionage purposes or something even worse. It’s like a Tom Clancy novel come to life.
Depending on how things play out, the consequences of this staggering breach could fall hard on Russia, and on Vladimir Putin himself. The fallout could also impact global energy markets.
A slow build-up of tension with Russia was already in the works for the United States. An aggressive confrontation between the incoming Biden administration and the Kremlin may now happen sooner rather than later in 2021.
So how in the world did this happen?
Cozy Bear, a notorious hacking division of the Russian government, was able to execute a subtle and sophisticated “supply chain attack” on a software provider to the world’s major players.
A supply-chain attack is a cybersecurity term of art, referring to the exploitation of a widely used product or service to potentially compromise any user who is connected to that service.
The supply-chain element that was compromised is a software tool known as Orion, which is used to monitor activity across an internal network. Orion is a product of SolarWinds Corporation, a 20-year-old information technology company based in Austin, Texas.
To scan the SolarWinds client list is to immediately see the problem. SolarWinds product users include 85% of all Fortune 500 companies, the Secret Service, the U.S. Federal Reserve, the U.S. Department of Defense, the National Security Agency, and more.
Thousands of the most strategically important and commercially valuable entities in the world, both public and private, use Orion, which exposed them to the Russian breach.
SolarWinds estimates that fewer than 18,000 customers out of more than 300,000 were impacted by the hack — about 6% of the total — but that 6% includes the cream of the crop.
The hackers appear to have “Trojanized” an Orion software security patch. (A Trojan horse is a means of getting inside a security perimeter by means of deception, as happened with the famous wooden horse in the legend of the fall of Troy.)
It is common for a software package to update itself every so often, via permission granted by the user, with new code streamed out from the parent company. You have likely seen these update requests for your own computer or smartphone. The Russians figured out how to use Orion patches as a backdoor means of system entry, while carefully covering their tracks.
“This is classic espionage,” Johns Hopkins professor and cybersecurity specialist Thomas Rid told the Washington Post. “It’s done in a highly sophisticated way,” he added.
The full extent of the damage is still being determined, and much of the detail will never be made public. Some information is so sensitive, the government would consider it dangerous just to admit that it was compromised. Private companies, meanwhile, will pick and choose what they reveal to shareholders.
The clean-up costs alone, let alone the espionage fallout, could run into the tens of billions as massive I.T. system architectures are swept clean or even thrown out and rebuilt from scratch.
It is impossible to imagine the U.S. government letting this go. Russia will be confronted, and quite likely punished, by the incoming Biden administration in 2021.
We don’t know what that punishment will look like, but the fallout could have a pronounced geopolitical effect. One area of direct transmission could be the oil and gas markets, where Russia remains one of the most important players in the world.
Aside from the security implications — not knowing what the Russians took, or what they planted and left behind, or what they now know — we can absolutely expect a ratcheting up of global tensions in 2021.
This will also come as the new U.S. administration works to shore up European alliances and rebuild the North Atlantic Treaty Organization (NATO), an entity directly opposed to Russian geopolitical goals.